{
    "slug": "hashing_algorithms_deep",
    "term": "Hashing Algorithms Deep Dive",
    "category": "algorithms",
    "difficulty": "intermediate",
    "short": "Comparing hash functions for different use cases — MD5/SHA-1 (broken, legacy), SHA-256/BLAKE3 (data integrity), bcrypt/Argon2 (passwords), xxHash/MurmurHash (non-cryptographic, fast).",
    "long": "Hash functions serve different purposes: Cryptographic hashes (SHA-256, SHA-3, BLAKE3) — collision and pre-image resistant, for data integrity and HMACs. Password hashing (bcrypt, Argon2id, scrypt) — deliberately slow, memory-hard, salted. Non-cryptographic hashes (xxHash, MurmurHash, CRC32) — extremely fast, not collision-resistant, for hash tables and checksums where security is not required. MD5 and SHA-1 are broken (collision attacks demonstrated) — never use for security. PHP: hash() for cryptographic, password_hash() for passwords, crc32() for non-security checksums.",
    "aliases": [
        "xxHash",
        "MurmurHash",
        "BLAKE3",
        "CRC32",
        "hash function comparison"
    ],
    "tags": [
        "algorithms",
        "cryptography",
        "php"
    ],
    "misconception": "A faster hash is always better — for passwords, slower is better (bcrypt cost factor); for HMACs, speed with security is the goal (SHA-256); for hash tables, pure speed wins (xxHash).",
    "why_it_matters": "Using SHA-256 for passwords (fast algorithm) is wrong; using bcrypt for a hash table (slow) is wrong — matching the hash function to the use case is the critical decision.",
    "common_mistakes": [
        "SHA-256 or MD5 for passwords — fast algorithms, GPU-crackable at billions per second.",
        "bcrypt for non-security checksums — 400ms per hash where 1 microsecond is sufficient.",
        "MD5 for file integrity — collision attacks allow two different files with the same MD5.",
        "CRC32 for security applications — CRC32 is not cryptographic and easily forged."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "hash_functions_deep",
        "bcrypt",
        "argon2",
        "block_cipher_modes"
    ],
    "prerequisites": [
        "hash_functions_deep",
        "cryptographic_hash",
        "hmac"
    ],
    "refs": [
        "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html"
    ],
    "bad_code": "// Wrong hash for the job:\n$passwordHash = hash('sha256', $password);  // GPU-crackable in seconds\n$checksum     = password_hash($data, PASSWORD_BCRYPT); // 400ms for a file checksum!\n$fileInteg    = md5_file($upload);          // Collision-vulnerable integrity check",
    "good_code": "// Right hash for each use case:\n\n// Passwords — slow, memory-hard:\n$passwordHash = password_hash($password, PASSWORD_ARGON2ID);\n\n// File integrity — cryptographic, collision-resistant:\n$checksum = hash_file('sha256', $uploadPath);\n\n// HMAC — authenticated integrity:\n$mac = hash_hmac('sha256', $message, $secretKey);\n\n// Cache key (non-security) — fast:\n$cacheKey = 'page:' . crc32($url . $queryString); // Fast, not security\n\n// Constant-time comparison for all security-sensitive comparisons:\nif (!hash_equals($expected, $computed)) throw new SecurityException();",
    "quick_fix": "MD5 and SHA1 are cryptographically broken — use SHA-256 for checksums, SHA-3 or BLAKE3 for new systems, Argon2id for passwords, and HMAC-SHA256 for message authentication",
    "severity": "high",
    "effort": "low",
    "created": "2026-03-16",
    "updated": "2026-04-05",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/hashing_algorithms_deep",
        "html_url": "https://codeclaritylab.com/glossary/hashing_algorithms_deep",
        "json_url": "https://codeclaritylab.com/glossary/hashing_algorithms_deep.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Hashing Algorithms Deep Dive](https://codeclaritylab.com/glossary/hashing_algorithms_deep) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/hashing_algorithms_deep"
            }
        }
    }
}